FreeBSD NFS server not responding to TCP SYN packets from
Linux/SunOS clients
Mike Silbersack
silby at silby.com
Mon Oct 24 02:18:34 PDT 2005
Sorry for the delay, you took me out of the To: listing, so the message
just went into my lists box, which I didn't get to until today.
On Fri, 14 Oct 2005, Nicolas KOWALSKI wrote:
>> Assuming that port reuse is the problem, there is no quick fix for
>> this, just resetting connections when a SYN comes in would be a
>> really big security problem.
>
> Really? Are Linux and Solaris that insecure because of this behaviour?
Not necessarily - there are a bunch of different ways to handle the
situation better than we do at present. I don't know how Solaris/Linux do
it right now, nor have I had time to implement an improvement for FreeBSD.
Maybe in January I'll have time.
>> Actually, there may be a quick fix for this specific machine. If you
>> set net.inet.tcp.keepidle to 1 minute (60*whatever kern.hz is),
>> that'll cause keepalive packets to be sent every minute to an idle
>> connection, rather than every 2 hours. That would kill the stuck
>> connections much quicker.
>
> Unfortunately, this does not work as expected. I just tested with my
> workstation (Linux 2.6), with NFS filesystems mounted with TCP; when
> the station rebooted abruptely, mounting the same NFS filesystems hung
> more than 1 minute (15 minutes just now). During this hang, I saw on
> the server, using netstat, the nfsd process related to my workstation
> in ESTABLISHED state.
>
> Any other tip?
>
> Many Thanks in advance,
> --
> Nicolas
Ok, I have one other quick fix idea, but it's a bit crazy. ipfw is
supposed to send keepalive packets when rules go idle and are about to
expire. So, if you make a keep-state rule for incoming connections, then
maybe ipfw would somehow close down the dead connection.
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list